New US Patient Data rules

American hospitals, healthcare insurance companies, pharmacies, health maintenance organisations and medical researchers are up in arms over data privacy rules approved by Clinton shortly before handing over The White House keys to President Bush.

Who: The US healthcare industry and Congreshcare industry and Congress

When: February 2001

Where: USA

What happened:

American hospitals, healthcare insurance companies, pharmacies, health maintenance organisations and medical researchers are up in arms over data privacy rules approved by Clinton shortly before handing over The White House keys (but it appears not much else remaining inside) to President Bush. Under the rules, healthcare providers must obtain written consent from patients for use or disclosure of information in their medical records. Separately every healthcare provider must appoint a "privacy official" to develop privacy policies and procedures, whilst patients will for the first time have a legal right to inspect and copy their medical records and suggest corrections.

Patients will also be able to demand that doctors and hospitals provide a full account of all disclosures of their data made to third parties over the last six years and violations of these rules can lead to both civil and criminal penalties including a $250,000 fine and ten years in prison if the offence was committed for commercial advantage. Privacy campaigners welcomed the developments, saying that concerns over privacy and security have slowed used of the net by the medical and pharmaceutical industry whilst patients have provided inaccurate medical information because of their fears about its disclosure to third parties.

Why this matters:

Whether the introduction of these rules will "fix" these two above concerns remains to be seen, and there is also the possibility that President Bush might be persuaded to either revise or withdraw the rules entirely. There is time, as the rules are not due to come fully into force for two years. Whether he will be able to contemplate doing this in the face of the current semi-hysteria in the US over privacy rights is another question. If the rules remain, however, this is yet another example of how, sector by sector (see the January 2001 report in this International Newsfeed section on US data privacy rules affecting sweepstakes promotions), the US is creating a body of data privacy law which is soon likely to be far more restrictive (and better enforced) than any equivalent EU measures.